Thursday, June 23, 2016

This week I published a PoC for CVE-2016-4989 , which isyet another local root exploit for setroubleshoot, workingout of the box on CentOS/RHEL 6.6, 6.7, 6.8, 7.0 and 7.1.The underlying vulnerability and exploitation strategyis very similar to CVE-2015-1815. So the writeup insidethe git almost entirely applies, except that the PoCmay be executed via remote shells (ssh) and that it isusing a helper binary in order to get a SELinux domainconfinement for an unconfined user, triggering the buginside setroubleshoot. To my knowledge this is a novelapproach. Its also new that straight-shooter may beused as a Docker breakout, if run inside a container,which has running setroubleshoot running on the host.Out of personal interest: If you like exploits - eitherprofessional, or as a hobby - and demand forfreedom of speech or freedom of expression, try your bestto lobby against the Wassenaar regulation of exploits. TheWassenaar regulation of exploits is just a vehicle (sold toyou as a privacy win) to cover backdoors and criminalizebug finding. Any serious exploit coder and researcher I knowis arguing against Wassenaar, and so should you.